<?php
include "webmaster_connect.php";

session_start(); //must call session_start before using any $_SESSION variables
$username = $_POST['webmaster_username'];
$password = $_POST['webmaster_password'];
//connect to the database here
$username = mysql_real_escape_string($username);
$query = "SELECT *
        FROM webmaster_users
        WHERE username = '$username';";
$result = mysql_query($query);
	
if(mysql_num_rows($result) < 1) //no such user exists
{
    //echo "No user exists";
	header('Location: ../webmaster_login.php?error=user?not?recognised');
    die();
}	
$userData = mysql_fetch_array($result, MYSQL_ASSOC);
$hash = hash('sha256', $userData['salt'] . hash('sha256', $password) );
$webmaster_id = $userData['id'];
$webmaster_permission = $userData['permission'];
if($hash != $userData['password']) //incorrect password

{
    //echo "Wrong password";
	header('Location: ../webmaster_login.php?error=incorrect?password');
    die();
}
else
{
	//echo "Logged in";
	session_regenerate_id (); //this is a security measure
    $_SESSION['valid'] = 1;
    $_SESSION['webmasterid'] = $webmaster_id;
	$_SESSION['webmaster_permission'] = $webmaster_permission;
    //echo $_SESSION['userid'];
	header('Location: webmaster_account.php?successful?login');
}
//redirect to another page or display "login success" message

?>